realm policyreferece attribute in krb5_ldap_read_realm_params()function
rsavitha at novell.com
Thu May 22 06:15:01 EDT 2008
The current implementation does not make use of the policy reference at
the realm object level. If you look at kdb5_ldap_util, it does not provide an
option for you to set this attribute. The code to read the policy object in
krb5_ldap_read_realm_params() never gets executed.
We had initially thought of supporting the policy reference at the realm level.
But later felt that it is sufficient to go with the attributes directly on the realm
object since we dont expect too many realm objects and configuring it directly
on the realm wouldn't be an issue.
>>> On Tue, May 20, 2008 at 1:01 AM, in message
<1211225468.11251.20.camel at klausk.br.ibm.com>, Klaus Heinrich Kiwi
<klausk at linux.vnet.ibm.com> wrote:
> looking at the krb5_ldap_read_realm_params() function (file:
> src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c), I'm trying to understand
> where does the rlparams->policyreference value comes from, since it's
> used in the conditional around line 1368.
> I was hoping to find a query to "krbTicketPolicyReference" along with
> other krbRealmContainer attributes right above this line.
>>From my initial analysis, looks like if *mask doesn't bring any of the
> LDAP_REALM_MAXTICKETLIFE, LDAP_REALM_MAXRENEWLIFE or
> LDAP_REALM_KRBTICKETFLAGS flags, the code to query those from the policy
> reference dn will always be skipped since rlparams->policyreference is
> always NULL (even if there *is* a krbTicketPolicyReference attribute in
> the Realm Container object).
> Any comments are welcome.
More information about the krbdev